Skip to content

SAST file detection should not be case sensitive

Summary

Case-insensitive servers or operating systems (such as Microsoft Windows) normally allow file extensions to contain capital letters. If a project contains such files (e.g. test.PHP), they will not be scanned, since they do not match the expected extension, which must consist of lowercase strings, which would reduce the effectiveness of the SAST scan.

Steps to reproduce

To reproduce the issue, add a file containing vulnerabilities to a new or existing project, and make sure that its extension contains one or more capital letters, such as .PHP.

The following projects contain exactly the same files and configuration, with the only difference of the uppercase extension in "TestPHP2".

Project definitions

image

Results

image

Example Project

(If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report)

(If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version)

What is the current bug behavior?

Files with extensions containing capital letters do not get detected and scanned.

What is the expected correct behavior?

Files with extensions containing capital letters are detected and scanned.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

There are two potential spots where this behavior needs to be addressed.

Implementation Plan

  1. Update SAST.gitlab-ci.yml rules.exists conditions to including globs for all case variations (**/*.rb => **/*.{rb,RB,rB,Rb})
  2. Update Dependency-Scanning.gitlab-ci.yml rules.exists conditions to including globs for all case variations (**/*.rb => **/*.{rb,RB,rB,Rb})
Edited by Lucas Charles